Cisco Anyconnect issue-cannot ping internal networks

rwills — Sun, 12 May 2019 00:52:21 GMT

I am trying to set up an AnyConnect VPN. I am able to connect to the VPN, and I am pulling an IP from the pool. But I cannot ping the interface of the Inside network. This is a new firewall and the VPN is one of the first things I am configuring, so that is why the config is a bit sparse. The IP I was trying to ping is 192.168.111.1. Any help is appreciated.

license smart
feature tier standard
throughput level 1G
names
no mac-address auto
ip local pool VPN-POOL 192.168.105.5-192.168.105.250 mask 255.255.255.0

!
interface GigabitEthernet0/0
nameif Outside
security-level 0
ip address xxx.xxx.xxx.xxx xxx.xxx.xxx.xxx
!
interface GigabitEthernet0/1
nameif Inside
security-level 0
ip address 192.168.111.1 255.255.255.0 standby 192.168.111.254
!
interface GigabitEthernet0/2
nameif web
security-level 0
ip address 192.168.224.1 255.255.255.0 standby 192.168.224.254
!
interface GigabitEthernet0/3
nameif DMZ
security-level 0
ip address 192.168.222.1 255.255.255.0 standby 192.168.222.254
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/6
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/8
description LAN/STATE Failover Interface
!
interface Management0/0
nameif management
security-level 0
ip address 192.168.189.101 255.255.255.0 standby 192.168.189.102
!
ftp mode passive
dns domain-lookup management
dns server-group DefaultDNS
name-server 192.168.111.2
access-list Inside_access_in extended permit icmp any host 192.168.111.1
pager lines 23
logging enable
logging asdm informational
mtu Outside 1500
mtu Inside 1500
mtu web 1500
mtu DMZ 1500
mtu management 1500
failover
failover lan unit primary
failover lan interface fover GigabitEthernet0/8
failover link fover GigabitEthernet0/8
failover interface ip fover 192.168.191.1 255.255.255.240 standby 192.168.191.2
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
arp rate-limit 8192
access-group Inside_access_in in interface Inside
route Outside 0.0.0.0 0.0.0.0 208.86.41.129 1
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 sctp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
timeout conn-holddown 0:00:15
timeout igp stale-route 0:01:10
user-identity default-domain LOCAL
aaa authentication ssh console LOCAL
aaa authentication login-history
http server enable
http 0.0.0.0 0.0.0.0 management
no snmp-server location
no snmp-server contact
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpoint _SmartCallHome_ServerCA
no validation-usage
crl configure
crypto ca trustpoint ASDM_TrustPoint0
enrollment self
subject-name CN=(CompanyName)-ASAv-1
proxy-ldc-issuer
crl configure
crypto ca trustpool policy
auto-import
crypto ca certificate chain _SmartCallHome_ServerCA
certificate ca **********************
quit
crypto ca certificate chain ASDM_TrustPoint0
certificate *****************
quit
telnet timeout 5
ssh stricthostkeycheck
ssh 192.168.111.0 255.255.255.0 Inside
ssh 192.168.189.0 255.255.255.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl trust-point ASDM_TrustPoint0 Outside
webvpn
enable Outside
hsts
enable
max-age 31536000
include-sub-domains
no preload
anyconnect image disk0:/anyconnect-win-4.7.02036-webdeploy-k9.pkg 1
anyconnect image disk0:/anyconnect-macos-4.7.02036-webdeploy-k9.pkg 2
anyconnect enable
tunnel-group-list enable
cache
disable
error-recovery disable
group-policy GroupPolicy_SSLVPN internal
group-policy GroupPolicy_SSLVPN attributes
dns-server value 192.168.111.2
vpn-tunnel-protocol ssl-client
default-domain value lift361.com
dynamic-access-policy-record DfltAccessPolicy
username CAuser password ********* privilege 2
username Luser password ********* privilege 15
username CDuser password ********** privilege 15
tunnel-group SSLVPN type remote-access
tunnel-group SSLVPN general-attributes
address-pool VPN-POOL
default-group-policy GroupPolicy_SSLVPN
tunnel-group SSLVPN webvpn-attributes
group-alias SSLVPN enable
!
class-map inspection_default
match default-inspection-traffic
!
!
policy-map type inspect dns preset_dns_map
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map global_policy
class inspection_default
inspect ip-options
inspect netbios
inspect rtsp
inspect sunrpc
inspect tftp
inspect xdmcp
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect esmtp
inspect sqlnet
inspect sip
inspect skinny
policy-map type inspect dns migrated_dns_map_2
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
policy-map type inspect dns migrated_dns_map_1
parameters
message-length maximum client auto
message-length maximum 512
no tcp-inspection
!
service-policy global_policy global
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
no active
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination address email callhome@cisco.com
destination transport-method http
subscribe-to-alert-group diagnostic
subscribe-to-alert-group environment
subscribe-to-alert-group inventory periodic monthly
subscribe-to-alert-group configuration periodic monthly
subscribe-to-alert-group telemetry periodic daily
profile License
destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
destination transport-method http
Cryptochecksum:************************
: end

Re: Cisco Anyconnect issue-cannot ping internal networks

Marvin Rhoads — Sun, 12 May 2019 04:05:31 GMT

That's the normal behavior. By design you cannot interact with the interface that your traffic would normally be using for egress.

Re: Cisco Anyconnect issue-cannot ping internal networks

rwills — Sun, 12 May 2019 12:55:52 GMT

Ok. I guess I will have to get creative about testing then, since I have nothing on the other side until I do the actual cutover. Thanks.

topic Re: Cisco Anyconnect issue-cannot ping internal networks in Network Security

Cisco Anyconnect issue-cannot ping internal networks

Re: Cisco Anyconnect issue-cannot ping internal networks

Re: Cisco Anyconnect issue-cannot ping internal networks